If anyone is asleep at the switch and thinks cyber is just a fad or trend, then consider this: Ginni Rometty, chairman, president and CEO of IBM, recently said, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.” Do I have your attention now?
Analogies to NFL teams (offense, defense and special teams) as well as military special forces can be applied to organizing elite talent around a specific objective to the corporate cyber challenge each company faces.
Rapid technological advances have changed the game. Cybersecurity is not just an IT problem. Both public and private companies must be vastly more vigilant about comprehensive risk management and cyber defense. Corporations face a clear imperative: decisively improve enterprise cyber risk management, leadership and performance – or risk your company’s future success, or worse, it’s very future. Cyber-threats will never go away as the bad guys will never stop exploiting this new medium. The lure for bad guys stealing money, data, IP, secrets, reputations or intentions is just too great, and frequently, just too easy.
When many organizations discuss corporate asset protection and cyber-defense, they typically talk about protecting their network from adversaries. We are seeing a mad scramble to attract a cybersecurity executive A-team, truly the best of the best. Demand starts from the top down with board members who chair newly formed risk/cyber committees, Chief Risk Officers (CROs), Chief Information Security Officers (CISOs), Chief Security Officers (CSOs) and Chief Data Officers (CDOs).
[ ALSO ON CSO: Six reasons why boards of directors must be engaged in cybersecurity ]
While cyber-savvy board directors and C-Suite executives are needed to serve on all teams, so too are expert outside consultants. Success will require unprecedented cooperation from the Board and those in the C-suite to demand a culture of security. This includes implementing new training and educational initiatives and focusing on the human element – insider threat.
Security is typically viewed as a cost center and overhead. However, when done right, security can become a strategic asset and enabler to growth. To be lawful, U.S. corporations are limited to fielding a defensive team only, therefore their defensive effort must be flawless, or they are at great risk. If your company has not made the decision to attract and hire true A-players, then it is time to reconsider your strategy to protect and preserve your corporate assets, brand and market position.
A new kind of “special teams”
Let’s look at how other elite organizations structure and focus talent to achieve critical missions and objectives. The FBI calls their leaders “Special Agents.” The CIA has an elite group called the “Special Activities Division.” The Pentagon uses “Special Operations Forces” of Navy SEALs and DELTA Force warriors to combat the enemy. The National Football League (NFL) divides their teams into offense, defense, and “special teams.”
Today, most companies consider cybersecurity as a vertical in their business whereas it’s really a horizontal across-all-business lines challenge. Should companies consider restructuring to elevate the role of cyber across the enterprise by naming a unified leader empowered to play defense across the entire spectrum of risk? Let’s say a CRO was named to fulfill this role. He/she would peer with the COO and both would report directly to the CEO. What if your new CRO had a targeted small team of experts? It would include the CSO, CISO and someone each from finance, legal, compliance, operations, engineering, PR, and crisis communications.
This unique approach of targeted talent would model a Navy SEAL team which is comprised of elite specialists. The acute focus on a specific mission and agility in problem solving is not restricted to Special Forces; it’s also true of high performing sports teams. Each member of the team has a specific and crucial role to the unit. If a CRO was hired and elevated, these changes would not be trivial in resources needed, leadership to implement and the pain caused by any new change but could be a force multiplier to the business.
The stakes are too high, especially for public companies, not to have a true cyber A-team. Accordingly, companies of all sizes should ask themselves, what is “special” about our risk management and cyber team? Make the investment now before you fall behind your competition or become the target of a major breach reported on the front page. Even an A-team is not special if they don’t practice.
Creating a culture of security requires frequently challenging all members of the team, including the board. Risk management, cyber intrusion and insider threat tabletop exercises are needed to test defenses but also to ensure your special teams stay sharp. Protecting your corporate assets and brand is less a technological issue and more of an understanding, behavior and leadership issue. As with most high-impact corporate initiatives, effective strategies and solutions rarely bubble up; rather, they must be launched and supported from the top down.
Expert cyber consultants part of “Special Teams”
Many boards and CEOs have begun to “get smart” on cybersecurity and engage expert outside consultants and service providers. These trusted, competent professionals provide deep expertise and an invaluable look at a company from the outside-in. Can you say your company has identified and retained the world’s top expert consultants? If you haven’t, your competition is already doing so and gaining a strategic competitive advantage.
Companies need to take time to objectively assess their situation, identify their key gaps and build their team of internal and external experts to mitigate their risks. Strengthening defenses and developing a “special teams” will help prevent loss, but also enable the offense to score more points.
This article is published as part of the IDG Contributor Network. Want to Join?